Cybersecurity researchers have uncovered a new strain of ransomware called Mimic, which uses Everything API, a Windows search engine, to search for files to encrypt. Mimic is a sophisticated malware that can eliminate shadow copies, shut down various applications and services, and identify encrypted files. It is also capable of using multiple processor threads to encrypt data faster. The initial stage of a Mimic ransomware attack involves the victim receiving an executable, which is used to shut down processes and services to gain access to vital information. A Dll file is dropped during the initial infection, which scans the infected system for specific file names and types. Everything API allows Mimic to identify files suitable for encryption without risking locking system files that could make the system unbootable. The ransomware then uses its algorithm to scan all files, identifying those that can be encrypted while bypassing any system files that might cause the system to fail. The perpetrator demands Bitcoin payment for the safe return of the locked data, along with instructions on how to proceed. It is evident from the use of Conti builder and Everything API that the creators have a high level of software development expertise and a solid understanding of their objectives. To combat ransomware, Heimdal's integrated cybersecurity suite, which includes the Ransomware Encryption Protection module, can be used. This module is universally compatible with any antivirus solution and is entirely signature-free, ensuring superior detection and remediation of any ransomware, whether fileless or data-based.
This Cyber News was published on heimdalsecurity.com. Publication date: Tue, 31 Jan 2023 09:28:03 +0000